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The Information Commissioner’s response to Ofgem’s Call for 
Evidence on the potential impacts on consumers following market- 
wide settlement reform 


About the ICO 


The Information Commissioner has responsibility for promoting and enforcing the 
EU General Data Protection Regulation (‘GDPR’), the Data Protection Act 2018 
(‘DPA’), the Freedom of Information Act 2000 (‘FOIA’), the Environmental 
Information Regulations 2004 (‘EIR) and the Privacy and Electronic 
Communications Regulations 2003 (‘PECR’). She is independent from 
government and upholds information rights in the public interest, promoting 
openness by public bodies and data privacy for individuals. The Commissioner 
does this by providing guidance to individuals and organisations, solving 
problems where she can, and taking appropriate action where the law is broken. 


The Commissioner welcomes the opportunity to respond to Ofgem’s Call for 
Evidence on the potential impacts on consumers following market-wide 
settlement reform. 


Views on communication to facilitate/encourage consumers to 
engage 


The Commissioner acknowledges there are benefits for both suppliers and 
consumers in ensuring increased engagement within the energy market. In 
facilitating this, the sector must be transparent in how this is to be achieved so 
consumers find themselves in a fully informed position. 


The Commissioner is not in a position to ‘rubber stamp’ or promote particular 
forms of communication believed to lead to increased engagement within the 
sector. In this context the Commissioner will look to highlight the requirements 
of both the GDPR, the DPA and PECR should certain avenues of communication 
be explored. 


Whilst it is permissible for specific information to be communicated to consumers 
in an attempt to engage them in the energy market, Ofgem and energy suppliers 
must ensure this is considered appropriately and undertaken in a fair and lawful 
manner. Processing of personal data must always be fair as well as lawful. This 
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means that a data controller must process personal data transparently and only 
handle personal data in ways that people would reasonably expect. 


In the context of communications that facilitate or encourage engagement within 
the energy market, Ofgem and suppliers will need to be mindful that such 
communications may constitute direct marketing. 


The definition of direct marketing covers both the promotion of aims and ideals 
as well as the sale of products and services. Where consumers are being 
encouraged to consider the benefits of engaging with a certain system or 
provider, the data controller will need to be able to demonstrate that consent 
was knowingly and freely given, clear and specific, in relation to the provision of 
marketing materials for the topic. 


Guidance published by the Commissioner has made it clear that consent requires 
an individual to opt-in to the marketing by undertaking a clear and affirmative 
action, such as actively ticking a consent box. Data controllers should also keep 
clear records of what the data subject has consented to, to ensure the processing 
does not exceed what has been outlined. Suppliers should also be mindful that 
the rights of the data subject include the entitlement to withdraw consent for the 
processing to occur at any time. 


Whilst it is recognised that, in some circumstances, suppliers are under a legal 
requirement to undertake certain initiatives, such as the roll-out smart meters, 
the requirement does not override the obligations set out in both the GDPR and 
PECR. This means that if the supplier does not have appropriate consent to send 
marketing materials to the data subject, the communication will need to be 
worded neutrally, providing information without any encouragement or 
promotion. 


It is good practice to allow people to easily access and update their consent. It 
should be kept under review and refreshed if anything changes - for example, if 
processing operations or purposes evolve, the original consent may not be 
specific or informed enough. Data controllers should also consider whether to 
automatically refresh consent at appropriate intervals. 


The above may also lead to the need for a data protection impact assessment 
(‘DPIA’) to be undertaken. The DPIA process is an integral part of data protection 
by design and by default and can help in identifying the type of technical and 
organisational measures needed to ensure the intended processing complies with 
the requirements of GDPR. 
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Additionally, whilst it is expected that the majority of individuals that Ofgem and 
suppliers are looking to consider in these proposals are those categorised as 
‘disengaged’ customers, individuals who already make use of a smart meter must 
also be considered. These customers will have engaged in the smart metering 
programme on the basis that they will be asked for consent for access to half 
hourly consumption data in all circumstances. 


Should suppliers look to produce communications that include this level of 
granularity without the data subject opting into the processing, this is likely to 
conflict with what is outlined within the Data Access and Privacy Framework 
(‘DAPF’) and is also likely to be in contravention of the fairness and lawfulness 
principles of data protection legislation. However, it is acknowledged that Ofgem 
is reviewing access to half hourly data, to establish whether the conditions for 
settlement purposes need amending. 


Aside from communication, what other measures or initiatives 
would encourage consumers to become more confident about 
engaging with their energy use? 


Whilst it is not the role of the Commissioner to endorse particular practices when 
engaging with consumers, it is important that the principle of transparency is 
factored into the work being undertaken by Ofgem and suppliers. 


Transparent processing ensures a data controller is clear, open and honest about 
the processing being undertaken and the implications that may arise for the data 
subject. Using a transparent methodology when processing data and engaging 
with a consumer should increase consumer confidence and encourage individuals 
to engage in new initiatives, such as access to half hourly smart meter data. 


Transparency is particularly important where the consumer has a choice as to 
whether to engage with an organisation and the initiative being promoted. If 
individuals know at the outset how their personal data is being processed, they 
will be able to make an informed decision. 


In this context, the data subject will be better informed about the metering 
arrangements available to them and how these are measured. As a result, 
consumer confidence in the arrangements and tariffs available to them may 
conceivably increase. 
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Finally, the Commissioner would welcome further consultation with Ofgem 
regarding the issues covered in this call for evidence. She is supportive of 
initiatives that allow personal data to be utilised in beneficial ways for individuals 
and has set out her commitment to increasing consumer trust in the processing 
of personal data. 


In particular, the Commissioner would like to take this opportunity to highlight 
the requirements of Article 36(4) of the GDPR, which requires member states to 
consult with the supervisory authority during the preparation for a proposal of a 
legislative or regulatory measure. This, in practice, requires UK Government 
departments, such as Ofgem, to consult with the ICO on such policy proposals. 
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